CISA Adds Actively Exploited SimpleHelp, Samsung MagicINFO, and D-Link Flaws to KEV Catalog
Summary
CISA has added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, with a federal remediation deadline of May 8, 2026. The additions target flaws in SimpleHelp remote support software, Samsung MagicINFO 9 Server, and end-of-life D-Link DIR-823X routers.
The SimpleHelp vulnerabilities are particularly concerning as a pair: CVE-2024-57726 (CVSS 9.9) allows low-privileged technicians to escalate to server admin via API key abuse, while CVE-2024-57728 (CVSS 7.2) enables arbitrary file uploads through path traversal. Chained together, they’ve been linked to DragonForce ransomware campaigns. Samsung’s CVE-2024-7399 (CVSS 8.8) is a path traversal flaw being exploited to deploy Mirai botnet variants despite patches being available since August 2024. The D-Link CVE-2025-29635 (CVSS 7.5) affects end-of-life routers with no fix available — CISA recommends discontinuing their use entirely.
These additions follow a broader pattern of CISA expanding its KEV catalog as exploitation timelines shrink. All four vulnerabilities are being actively exploited in the wild, making immediate patching or mitigation critical for affected organizations.
Sources
- CISA — Adds Four Known Exploited Vulnerabilities to Catalog
- The Hacker News — CISA Adds 4 Exploited Flaws to KEV
- Security Affairs — CISA adds SimpleHelp, Samsung and D-Link flaws
Commentary
The SimpleHelp chain is the standout here. Remote support tools are high-value targets because they’re designed to have deep system access — compromising them gives attackers the keys to the kingdom, and the DragonForce ransomware connection shows that threat actors know this. If you’re running SimpleHelp, this is a drop-everything-and-patch situation.
The Samsung MagicINFO situation is a frustrating case study in patch management failure. Samsung shipped fixes in August 2024 — nearly two years ago — yet enough servers remain unpatched that attackers are still finding success deploying Mirai through it. And the D-Link situation is even simpler: if your infrastructure depends on end-of-life hardware with no security updates, you’re volunteering to be compromised. Replace it.
